A Delegated Authorization Use Case

This use case has come up in previous articles and posts, and I’d like to take a deeper look at what’s possible today to support such scenarios. Let’s start with describing the use case, then examining how it could be implemented using existing technologies, and finally outlining its limitations.

The Use Case

“As a busy working mom, I want to delegate authority to my daughter to stop by Costco after school and pick up groceries. My daughter doesn’t have her own Costco card, so she needs to use my membership and payment method. Costco must be able to verify that the person using the credential is indeed my daughter and that she’s been authorized by the account holder to make purchases up to a specified spending limit (e.g., $400).”

Breaking Down the Use Case

What’s required to make this use case work?

1. Delegated Authority Token – A digital representation of permission, where the parent (Alice) delegates purchasing rights—up to $400—to her daughter (Eve), tied to her Costco membership.
2. Credential Transfer Mechanism – A secure way for Alice to transfer the delegated credential to Eve, ideally using a mobile app or wallet.
3. Credential Presentation – A method for Eve to present the credential at Costco, both for store entry and at checkout.
4. Credential Verification – Costco must trust the credential, confirm it hasn’t been tampered with, and verify that Eve is the individual to whom it was issued.
5. Governance – Governance is limited in this case as both issuer and verifier are Costco. However, Costco does need to manage risk in regards to the wallets used to present the issued credential.

User Journeys for Alice and Eve

Let’s assume the Costco mobile app supports the creation of a Digital Credential (more formally, a Verifiable Credential or VC) containing:

• The relationship between Alice and Eve
• Authorization policy (e.g., spending cap)
• Identity evidence (e.g., photo of Eve)

Alice opens the Costco app, selects an option to delegate her membership, and sets a $400 spending limit. She uploads a recent photo of Eve to help store personnel verify her identity. The app generates the credential and displays a QR code, which Eve scans with her mobile wallet to receive the credential.

At the store, Eve presents her credential at the entrance. The Costco scanner reads the credential, displays Eve’s photo, and a staff member confirms her identity. She’s allowed in.

At checkout, Eve presents the same credential again. Costco verifies her identity and the spending limit. If all checks out, the transaction is processed using the payment method associated with Alice’s Costco account. (Note: Costco already supports mobile payments in-app today.)

What Standards Make This Technically Possible?

Several emerging identity standards support this type of delegated access:

• SD-JWT VC (Selective Disclosure JWT-based Verifiable Credential): A privacy-respecting credential format that supports selective disclosure of data.
• OpenID4VCI (OpenID for Verifiable Credential Issuance): A protocol that enables Alice to issue a credential to Eve securely.
• OpenID4VP (OpenID for Verifiable Presentations): Allows Eve to present that credential to Costco in a verifiable and privacy-preserving way.

These standards can be used to transfer credentials securely and verify them without exposing unnecessary data. Additionally, identity verification technologies (e.g., biometric matching or photo confirmation) could enhance trust, even without direct photo embedding.

Implications

This use case is viable because the issuer and the verifier are the same entity—Costco. Since Costco both issues and verifies the credential, it doesn’t need to rely on an external party’s trustworthiness. It can validate whether the credential was issued by its own systems and enforce strict rules such as expiration or usage limits.

For example, Costco might:

• Limit the lifetime of the credential (e.g., valid for one day)
• Restrict the number of delegated credentials per account per month
• Require real-time photo confirmation at the point of use

However, if the issuer and verifier were different entities (e.g., issuing a credential from a school to be used at a third-party store), the trust model becomes more complex. Liability, interoperability, and governance all become critical concerns.

Final Thoughts

As we move toward a world of digital wallets and verifiable credentials, scenarios where the issuer and verifier are the same legal entity will be the easiest to implement. These reduce complexity, legal liability, and trust barriers significantly.

Cross-domain use cases—where issuer and verifier are different—require robust governance frameworks, like those discussed by Heather Flanagan and others in the identity community. Without such frameworks, adoption of broader delegated access scenarios will remain limited due to unresolved risk and trust concerns.